Professional Documents
Culture Documents
Security in Cloud Workshop
Security in Cloud Workshop
Security in Cloud Workshop
March 8, 2019
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Schedule
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security is Job Zero at AWS
SYSTEM
NETWORK
PHYSICAL
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model: for Infrastructure Services
Customer IAM
Customer content
Platform & Applications Management Managed by
Mgmt
Protocols
Customers
Operating System, Network & Firewall Configuration
Client-Side Data encryption Server-Side Encryption Network Traffic Protection
AWS IAM
& Data Integrity Authentication Fire System and/or Data Encryption / Integrity / Identity
API
Optional – Opaque data: 1’s and 0’s (in transit/at rest) Calls
API Endpoints
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regions
Infrastructure Service Example – EC2
• Customer Data • High Availability, Scaling
Customers
RESPONSIBILITIES
AWS
• AWS Global Infrastructure
• AWS API Endpoints
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model:for Container Services
Managed by
Customers
Customer content
Configuration
Firewall
Mgmt
& Data Integrity Authentication Encryption / Integrity / Identity
Protocols
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
API
Calls
Platform & Applications Management
API Endpoints
AWS Foundation Services
Managed by
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regions
Infrastructure Service Example – RDS
RESPONSIBILITIES
AWS
• Operating System
• AWS Global Infrastructure • Platform / Application
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model:
for Abstract Services Managed by
Customers
Customer content
AWS IAM
Client-Side Data Encryption API Calls
(optional) & Data Integrity Authentication
API Endpoints
Operating System, Network & Firewall Configuration Managed by
AWS Foundation Services
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Regions
Infrastructure Service Example – S3
• Customer Data
Customers
AWS
• AWS API Endpoints • High Availability / Scaling
• Operating System
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary of Customer Responsibility in the Cloud
Applications Firewall
Operating System
Networking/Firewall
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Identity Management?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Principals
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources for your users.
Optional Configurations:
• Password for console access.
• Policies for controlling access AWS APIs.
• Two methods to sign API calls:
• X.509 certificate
• Access/Secret Keys
• Multi-factor Authentication (MFA)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Assurance Programs
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Artifacts - Compliance reports
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Responsibilities
• Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
One last thing about data sanitization
To This
From this
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
20 Regions – 60 Availability Zones – 160 Points of presence Regions and Availability Zones
US East China
N. Virginia (6) Beijing (2)
Ohio (3) Ningxia (3)
US West Europe
N. California (3) Frankfurt (3)
Oregon (3) Ireland (3)
Asia Pacific London (3)
Mumbai (2) Paris (3)
Seoul (2) Stockholm (3)
Singapore (3) South America
Sydney (3) São Paulo (3)
Tokyo (4) GovCloud (US)
Osaka-Local (1) US-East (3)
Canada US-West (3)
Central (2)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC
VPC = Virtual Private Cloud
Your virtual data center on AWS
Block of IPs that define your
network (typically RFC 1918)
Can span multiple AZs
Availability Zone A Availability Zone B
Default VPCs
VPC CIDR: 10.1.0.0 /16
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC subnet
Range of IPs in your VPC IP
range
Lives inside an AZ
10.1.10.0/24
Can provide security at the
10.1.1.0/24
subnet or network level with
Subnet
Availability Zone A
Subnet
access control lists (ACLs)
Availability Zone B
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internet gateway
AWS Public Internet
API Endpoints
Internet Gateway
Availability Zone A
Subnet
Default VPC includes an IGW
Availability Zone B
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Route table
AWS Public
API Endpoints
Internet Contains a set of rules, called
routes, that are used to determine
where network traffic is directed
Internet Gateway
0.0.0.0/0 igw
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VGW and VPN connection
VPN over
the Internet
Customer Gateway
Internal
User
Corporate Data Center
Availability Zone A
Subnet
on-premises network
Availability Zone B
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security group Security Group
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC security VPC 10.1.0.0/16
controls EC2
EC2 EC2
Instance 1 Instance 2 Instance 3
10.1.1.6 10.1.1.7 10.1.10.20
Virtual Router
Route Route
Table Table
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-tier architecture using Security Groups
Web Layer
Application Layer
Database Layer
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network ACLs = Stateless Firewall Rules
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is DDoS Attack?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of DDoS attacks
Application-layer DDoS attacks
ü Protect from most common attacks ü AWS WAF for Layer 7 DDoS attack
(SYN/UDP Floods, Reflection Attacks, mitigation
etc.)
ü Self-service & pay-as-you-go
ü Automatically detect & mitigate
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Advanced
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF – Layer 7 application protection
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor Demo
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Logs – Centralization of logs
Use cases
• Centralized log store
• Prevent log modification on instances
• Notifications on events
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS Accept or
account reject
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs – CloudWatch Alarms
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs
• Amazon
Elasticsearch
Service
• Amazon
CloudWatch
Logs
subscriptions
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Full visibility and logging features
Who did what and when and from where (IP address)
• CloudTrail/Config support for many AWS services and growing -
includes EC2, EBS, VPC, RDS, IAM and RedShift
• Edge/CDN, WAF, ELB,VPC/Network FlowLogs
• Easily Aggregate all log information
• CloudWatch Alarms
Out of the box integration with log analysis tools from AWS
partners including Splunk, AlertLogic and SumoLogic
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail example
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate actions on events
Amazon Amazon
CloudWatch Lambda
Amazon SNS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
Managed service for tracking AWS inventory and configuration, and configuration
change notification.
AWS Config
EC2 EBS
VPC CloudTrail
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Demo
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data Encryption At-Rest
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key handling questions for any solution
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Options for using encryption in AWS
Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
• Available clients:
• S3, EMR File System (EMRFS), DynamoDB, AWS Encryption SDK
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• 19 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift, WorkSpaces,
Amazon Kinesis Firehose, CloudTrail
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (AWS KMS)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS is fully integrated with AWS IAM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS integration with AWS services
Download
Download a public
wrapping key
RSA public key
KMS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudHSM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key handling solutions from AWS Marketplace
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace Security Partners
Protección de
datos
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace Demo
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You
Herman Mak
Solutions Architect
Twitter: @hermanmakHK
Github: hermanmak
Submit your Feedback to get
25$ AWS Credit
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.